There are two ways users can log in to gain access to CXone.
-
You can log in on the NICE CXone global authentication page with a username, password, and, if enabled,
-
You can log in through an external identity provider (IdP) such as AzureAD, Auth0, Active Directory Federation Services (ADFS), Okta, SAML 2.0 (SP-initiated), OpenID Connect, and Ping.
General Login Process
If you do not have federation enabled through an IdP, then log in to CXone through the global authentication page.
-
Enter the URL for the CXone application you're trying to access into your browser. You will be redirected to the global authentication page.
-
Enter your username in the Username field and click NEXT. By default, your username matches the email listed on your account. An administrator can change your username to something other than your email, but it must still be in an email format.
-
Enter your password in the Password field and click Sign In. If you enter a valid password, you will be given access to the application. If you enter an invalid password or username, you will be directed to enter your password again. To reenter your username, click Back.
-
If you've forgotten your password, click Forgot your password?. You will receive an email with a link to reset your password. Your new password must meet the password requirements set in your assigned login authenticator.
Account Lockouts
Users are locked out of CXone after
Irene Adler is attempting to log in to Sherlock Holmes' account in CXone. After she enters his password incorrectly three times, a warning appears above the login window stating she has two login attempts left before she will be locked out. She enters two more incorrect passwords and is locked out of CXone for 30 minutes. After the 30 minutes are up, Adler enters another incorrect password. She is now locked out of CXone for an hour and is unable to steal Holmes' information.
MFA Login Process
You can set up multi-factor authentication (MFA) for your employees. Users enabled with MFA will have to enter an MFA token when they log in to CXone.
View login page with Password and MFA Token fields.
-
Enter the URL for the CXone application you're trying to access into your browser. You will be redirected to the global authentication page.
-
Enter your username in the Username field and click NEXT. By default, your username matches the email listed on your account. An administrator can change your username to something other than your email, but it must still be in an email format.
-
Enter your password and MFA token, then click Sign In. If you enter a valid username, password, and token, you will be given access to the application. If you enter invalid credentials, you will be directed to reenter your password and MFA token. To reenter your username, click Back.
-
If you've forgotten your password, click Forgot your password?. You will receive an email with a link to reset your password. Your new password must meet the password requirements set in your assigned login authenticator.
Single Sign-On
Single sign-on, or SSO, is a term that can mean different things to different people. Once you're logged in to a system, you can launch other applications in that system without being asked to log in again. NICE CXone currently has partial and uneven support for SSO across its applications.
Users log in to a system of cooperating applications, but the process is always initiated through one of those applications. This means you do not log in to the authentication system directly, only indirectly through other applications. The authentication system tracks the last user to log in. This allows applications to automatically log in as that user on launch through SSO. There are two ways SSO functionality is disabled:
-
For security, the logged in user is cleared after 24 hours.
-
For user experience, the logged in user is cleared when any application logs out.
Single Sign-Out
CXone does not support single sign-out. To understand this, consider how Google manages its applications. If you log in to Gmail, you might be prompted to log in. Once logged in, you can then launch Google Calendar in a different browser window without logging in. However, if you log out of either application, you will be logged out of all Google applications. This is single sign-out.
There are several reasons why CXone doesn't support single sign-out. Most notably, it is common for users to log out of one application, like Admin, but continue to use other applications, like MAX. We want to allow applications to log out and then log in again as a different user. These two requirements seem to conflict. We resolve this by allowing the log out behavior to only apply to the application itself and the authentication system that controls SSO. So, logging out of one application has no impact on other, running applications. However, it won't allow other applications to log in automatically.
It is usually necessary to clear local state stored in the browser in order to log out. It is not a requirement that access tokens or refresh tokens be invalidated as part of logout. Applications that rely on local state may not be logged out by closing the browser window. Local states will not be refreshed and may be stale when the browser is next launched, but the information may still be there. The local state may allow the application to log in without referring to the SSO system. This allows you to restore windows you close by accident. You can always log out and then back in if you want to change the user.
Applications that Launch Other Applications
You can launch other applications from within our applications. For example:
-
You can launch MAX or Supervisor
-
You can open a WFO tab in MAX or Salesforce Agent which launches an embedded view of CXone.
These cases cannot use the SSO functionality provided by the authentication system. This is because CXone doesn't ensure consistency of user between the SSO system and a running application. Instead, the new application inherits the login information of the application that is launching it. For example, assume you launch the CXone suite and then launch MAX. MAX doesn't need to go to the SSO system to determine the current user. That information can be passed directly to it by CXone. The same applies to the WFO tab inside MAX. In any case where the application is launching another application, it passes user information along which ensures consistency.
A user launches CXone and logs in as Jay Gatsby. Then they launch MAX which is automatically logged in as Jay Gatsby. Back in CXone the user logs out and back in as Nick Carraway. Now there is one window (MAX) logged in as Jay Gatsby and another (CXone) logged in as Nick Carraway. The user then uses MAX to expand the WFO tab. If that tab used SSO information, then it would show information for Nick Carraway which would be problematic. Instead, MAX passes its log in information for Jay Gatsby to the WFO application. In this way, consistency is assured with the benefit of not having to log in again.
Browser Requirements Associated with SSO
Most NICE CXone applications are web-based and must operate within the constraints of different browsers. They must meet user-expected behavior that is common for web applications.
Federated Identity Management
Federated identity management (FIM) can be a confusing term because of its overlap with SSO. FIM is a set of technologies that can provide SSO. An example of this is a website that allows you to sign up and sign in using a Facebook or Google account. In this case, the website is using FIM and gets SSO for free. If you are logged in to Facebook already, then you might be prompted to allow the new website to integrate. After that integration, you are not asked to log in to Facebook each time you access that website.
CXone supports FIM by using two different technologies: SAML 2.0 and OpenID Connect. Depending on how they are configured, these technologies may provide SSO. Currently, all FIM solutions break CXone's internal SSO for the University and Developer sites.